PECB Lead Implementer (ISO/IEC 27001) — Question 5

Which of the following statements regarding information security risk is NOT correct?

Answer options

• A. Information security risk is associated with the potential that the vulnerabilities of an information asset may be exploited by threats
• B. Information security risk cannot be accepted without being treated or during the process of risk treatment
• C. Information security risk can be expressed as the effect of uncertainty on information security objectives

Correct answer: B

Explanation

The correct answer is B because information security risk can sometimes be accepted as part of a risk management strategy, depending on the organization's risk appetite. Options A and C accurately describe the nature and expression of information security risk.